Re: Streaming replication as a separate permissions

On Mon, Jan 3, 2011 at 6:00 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> On Fri, Dec 31, 2010 at 15:38, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
>> On Thu, Dec 30, 2010 at 15:54, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
>>> On ons, 2010-12-29 at 11:09 +0100, Magnus Hagander wrote:
>>>> I've applied this version (with some minor typo-fixes).
>>>
>>> This page is now somewhat invalidated:
>>>
>>> http://developer.postgresql.org/pgdocs/postgres/role-attributes.html
>>
>> Hmm. Somehow I missed that page completely when looking through the
>> docs. I'll go update that.
>
> BTW, shouldn't CONNECTION LIMIT be listed on that page? and INHERIT?
> And VALID UNTIL? They're all role attributes, no?

+1.

>>> First, it doesn't mention the replication privilege, and second it
>>> continues to claim that superuser status bypasses all permission checks.
>>
>> Well, that was *already* wrong.
>>
>> superuser doesn't bypass NOLOGIN.
>>
>> That doesn't mean it shouldn't be fixed, but that's independent of the
>> replication role.
>
> I've committed a fix for this.

I still think this is the wrong approach. Saying superuser doesn't
bypass nologin is like saying that it doesn't bypass the need to enter
the correct password to authenticate to it. You have to BE the
superuser before you start bypassing permissions checks, and NOLOGIN
and a possible password prompts control WHO CAN BECOME superuser. On
the other hand, the REPLICATION privilege is denying you the right to
perform an operation *even though you already are authenticated as a
superuser*. I don't think there's anywhere else in the system where
we allow a privilege to non-super-users but deny that same privilege
to super-users, and I don't think we should be starting now.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company